Menu

FedWire ‘Your Wire Transfer’ themed emails lead to malware

Over the last day, cybercriminals have launched yet another massive email campaign to impersonate FedWire in an attempt to trick users into thinking that their wire transfer was processed incorrectly. Once they execute the malicious attachment, their PCs automatically become part of the botnet operated by the cybercriminal/gang of cybercriminals.

Creates the following Mutexes:Global\{CB561546-E774-D5EA-8F92-61FCBA8C42EE}Local\{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}Global\{DFD8EA7E-184C-C164-0508-B06D3016937F}Global\{DFD8EA7E-184C-C164-7109-B06D4417937F}Global\{DFD8EA7E-184C-C164-490A-B06D7C14937F}Global\{DFD8EA7E-184C-C164-610A-B06D5414937F}Global\{DFD8EA7E-184C-C164-8D0A-B06DB814937F}Global\{DFD8EA7E-184C-C164-990A-B06DAC14937F}Global\{DFD8EA7E-184C-C164-350B-B06D0015937F}Global\{DFD8EA7E-184C-C164-610B-B06D5415937F}Global\{DFD8EA7E-184C-C164-B90B-B06D8C15937F}Global\{DFD8EA7E-184C-C164-150C-B06D2012937F}Global\{DFD8EA7E-184C-C164-4D0C-B06D7812937F}Global\{DFD8EA7E-184C-C164-6D0C-B06D5812937F}Global\{DFD8EA7E-184C-C164-B90D-B06D8C13937F}Global\{DFD8EA7E-184C-C164-2D0E-B06D1810937F}Global\{DFD8EA7E-184C-C164-610E-B06D5410937F}Global\{DFD8EA7E-184C-C164-7908-B06D4C16937F}Global\{DFD8EA7E-184C-C164-790B-B06D4C15937F}Global\{DFD8EA7E-184C-C164-550C-B06D6012937F}Global\{DFD8EA7E-184C-C164-F50E-B06DC010937F}Global\{DFD8EA7E-184C-C164-3D0D-B06D0813937F}

It then phones back to the following C&C servers:78.139.187.6:19644123.237.234.67:1723178.139.187.6:1438495.59.85.166:26355123.237.234.67:1947781.133.189.232:1088079.43.109.56:1557564.231.249.250:2766769.183.226.70:14774202.229.103.0:1333881.133.189.23279.43.109.5669.183.226.70202.229.103.083.23.136.1782.50.88.14262.163.245.52189.223.135.11824.120.165.5866.63.204.2699.103.42.49212.76.98.16281.88.151.109173.194.67.10690.156.118.144199.59.157.124108.74.172.39151.45.10.2302.181.13.249213.188.74.166109.237.192.562.184.146.117173.61.237.166123.252.172.18476.219.136.4576.181.147.2182.180.104.27182.53.26.37129.89.11.208120.59.91.6624.173.222.8278.187.120.20967.190.79.13294.65.141.20

More malware (SHA256 hashes) samples are known to have phoned back to the same IPs over the last couple of days, for instance:0eb5dd62e32bc6480bae638967320957419ba70330f0b9ad5759c2d3f25753dd85ba584731c9efb870b391532533037548f4152d1dceb92a5aa062f593c1da98d8067d7a86b65ac4df60514792bc7c3991631a664118a32f5ea29fc595d68c8a1c678ad43f59e4fda58be198f5264f2110e1c27b3aa13a4fcb9d5f4e317cbac95fe14e389f8cff581385fb272a4189312fa94a7e8a9fdc197989e184ba413253a680b5a5cf3c5d78fa1718605924dc6bf220e371a76e8b2c76c84e1c6e38b6e33982d1dde8157bea7a6714da20bb285acd75b967570c7e405e4e0c4f06b6ce4f8c636547f3ce92b95eeadae55ef4668ab97d927fbffac25771010e72dc6723e0dbe0b013402e52a84f67017ec74e62e650c34af7306a50ce63f487d721ccd7fac0f68c918910f3edc4a61851be627c0e29889092d5fef87e7c5cfb126ac6e17f954fb7b172f2408071db5f4ff4324ec3cdf9940e77590774d2c1372681e3605e934cd7e608782b2a251e311f35b80b9d6c942256b30d11c760904e8bab35c948b8bf59f59db01780719e9b5f9c4d02efd6407a49177f200c8039871d9ff27fb546c7a2d4ba271af4dba07499e9db019ee217d17ddf1cb5df02c542cc735a3805270e65a12dfebb4576c744a0cf95ceec596559e2f807d4d33df6d41d58f6917aa96e265ac94f7e2b46d404b034c95076e4ac4f7dc858b30566c9ee8481fc25a3e97601bba68645355b0294fca90093eedfe6eb446a79b870d21d63b606f18e1bf52ff4e9e2309f447375623460472d3fe764d0bf48b228d33f7a8e068238b788235643e6d419d4cfb964e00f7c9a39c9334b809f6268e0c4933b36dd2783abda986468654dc049fffdb77cb380bc0d148305d9ae5045e2127d17dc6753858f622b5be44424967dc88612851f90517161c8d2f9f651e0d02947b676a07fb9f5c07c858682c4a0122fadd802725ce21b09f6f2452cd168a6a65431322e4d4f2fcd5eb3cdb05e86498ba8b249604d86194d8b11baf949ea63a465fc78b2e5eb1e1456d61f9577ae86a05fc6395573cd80367903a21a3e904e978a50e6576adda8714cab19871551e54195cc587a25c22f6c2e40bd1314abe1f2b316ec0057ae37cb038edc2dbb651e1173de0893289fa266e8baa1f229cb2801f228629e3997f73ad53c71eebf465812df25a1fcd280e7dd07eb5aaa47507e9af3de5d44e1150c352f80751c7c9a8816054190ce67b303846ba216caaa4f5934d8041e12af5e1b498197f4a38ebc5559e221f174b5d6ce007af6e4c13acbc85b3fba2d93a9bfcbc14117e3d775eda1da344686e5c886ba84d229b5cf9ac438205a9db5a56fbee43b5a676f388d5ad5164b7efed3574d747cf1315c6e16110f6b8ca84587cf983fb47c9f8f4c01e2039578e94f16120a7211e4529ee1686a12ecb143010833de445f982fa557adde4198a2a7717841d8e5920eeb8337ea8b48125f7d7334890767a9478a24371467b24371d0aa1173bf508922e82be7e0314c188f2bb7f1de6b0dae13de17504f96a595a76a29f9f7976f1083be34b2ab2922d2c5460e97fd320ee85bf1c51e45ca382a9755b76aed8038bcdfeca9bc5f06cf10f665c8f3472ebe6f076f3b745b540774fb722062122f2003cef34b4baf3ef6cd9a2059a43dd375a2841f66489f4da2f1b594d719894487deb5955c35c35e444086d2effa649c6ff2d1d1abdeda3d3bb609a2abcc3ce8aa065f6f94c37939cd4e5fbf58f0477d7280d5e00701217b3090c669651f3864d7dcfb569c49205cfecf5f06b02f2304cca7c838160259e3e9d98242357c0db901b48679c30a7ffa2e457bc8ad716aa549a483c1ef12b672876b2aea0c06caf09ee62baa764ef5a2dd02fe7f5f70b1482d082e6f8e3f3f880ac722c49a54f46ea42823981c23fbdba3e67a5d669a36463a43422c75c2f27f471d630ae466169397e164ab51afc9dbde1bc7fc643b9ada893f7b6748372cf6f6ccb5848685de69a67514f019d4d18375c976f1d8148f5dd181ed4c0086f9662ca93fcb8d9b7440325d52fab377a32c6965b0049a5df91e959fee5652950df078d3c4c80604f11717833a64be604e3c754611c1d0d63550ef18d4d8ad94331afc9a9a0ea70305103dcf3c2582ef52fb5d38a5494e7706573437950006f68840832290873136562fc5309b300353028c18079e5da42eace45c3ffdbb1ae513a6254834a386cc7bb3c727bf2d582b4c08083d432b61715fccf30bf91817a7749459d9419494faf9367aacb10eea26840e4728a16cde89959cbcb2c5b75e11ae00e8b4c9d5a76f79e62f69e3c0a01098cd364d8ba08e65b43a7662c0a96e3679c63c658a95c39f94fd919692987bbd9bf31e370cbbe9ffa8b689631f1c62a976932012da53fb81f0094e7600c083bb8c63abc496aa810675d8c45cbd37267c763e09c65cc1670a0234ada28b8dd97072a4019d2776d09a1186d3f110beea23476be17d78ceba1af68c841cd34e7ef69943f8d9bc9ae4c069c51ea26e13a418784f7f56698b588293cd7ef53fe9fa322151c14c53d7d49bb34bb0628f5c2a9c08fe940c86bfac54aa8752a3aaa816f1714a441e1c0c1483d1244f252f895068995299757af93db52c2f5127aeeaf99cf5e0caeef8b43764f57ca6bf7eff773e0cde15871871ac6698fe7773b8f93c999f5f7329431704f5050d6f4b451e01c93a7a8bd56c4e427b3443d7700839eba7e2bb2dc13dcc452959e43e12c800509af39c462ba754fde9ee628c409db1b4b044feca63ab6f155595018c4571ec5045dac1ac067a3e14ce0f0e0660b417275c74977e6c86f569ba3bcbca1fe1477c11a74e4881849f7f14db06c7735c153d064e7ef5f5764d57bad0c46115381d2370c8e67d484cc5ad205dd126378fab5e84b285d3f6889541b34a425ca21f8d54a266a314eea3b29c9b147ff59316e4c48e957a938bf59245efe81b3a011f7030ac67fa0e19fb22738d7e3ca64018197567fda07a0ef233957a3835257212b128c2492f399dbad9ecef92af75d5c63866f2ba9a91d140eb35ffd4c4eed0333419591463428cbc385509b1cece29858f3cd3e56882c8d9c498b715c799f74fcf44b3c211e5a24a70c6400e0f4e6d0d50cca2bb2a1ff8eb6e1533c51d2ce8d8b07699d52079c8e4c92532e5e0e88db49019bed7ef0ff2ed24a5147d60297a1d16abe77fbd40c2e245b2760742e3f74a6df9f934d6598763ed85866262913765046d0072797394793abb46033854d510232ef570110c26431b798967dc7be0a8666e9b33110edb162524d2506331ed53ac9ea3e2ceaf955ccb04c6daf4cc6d28956c6c409dbf027b63da5b6c28499c89d0a02881a546dd154dd25c165cc745f9fb661ce6ed17e0f9251ca492eb645b3f971c86e43a2d38bde729795b491ed3c4bda310a5e9f2c299ad45ff4285fcd5914ca98006ae9b164b2dd45410a4ed162846e402102650c7b73640d7afc27ad8ca33cfdf9fad81528387e0ce2cf17eced49031a87a2877912ae887818d2108b76083c1e4ae83858cbdffbff1d0b239d5723593ab67dd5b96f55f38a8a9d1c1163e90818ab1ccb099a0fad6c7b3d3f03817a83a6e47a0188b4c0bda223994fd99bc44cdcdb18017cf886e56feeeb2bb7e0c0d0ce54b5491d7d8c812bf83553c1240875864b941f251245995bfd519242326f8df16b4ce3dd60dfed59c909acf516c2d5500977d4bb84a7655ddd54e5b4fa95ad91bd6848daaee98391d540d1c863111b0269ed9c57f6a2cb0f7a610dda05843f6eb1ea320ee86959547576be954c94e02127947a4d721a5b0fc2567606038a2e63e9278006de45a3d55e742384523fd9710b8b9a91b4313a5048576c0771db24a9d3693501fb0729fdc4acb57b648c84ed9717bb3ca50b83260329b36c03104746b09c39162d474f21335b7e5a56cd1819a916db07afbd8b33e47881a20536b6e938f5e1a35814822dce47f442666738ac1b4dd9667ae50a4f08fe4ffcba81a3707b1186114fbc735720f897c1a66ab88d95d99e51df20477a67d986800c2ff03669f04524c394dc18e7dace504ee4fba10a733348e5bb520cb98ec7d342ad3345aa79cb99fe894da035d3fa26d45296332a3941282c54a83c651ffdf3ad19f99eaa6e6f9b5ca6e2744a4ef70797a921713eda0433be3f0c74ab2584f6aabc019a85bad4f34efec0e98ffbddd971d99a6b6e35efd916c58145247b9b5602c96be452e6bc826430793af0939c90643df3a4f124632c1d723c267404cb5ed2a74c1c999a265f8fd43226bb591b95c8f029a19cd14192d530dc2e136706fb2ffbb8fa577cb0aac1213eaaf549a14101cc856868801e4516a615471fd95c69a180ae8891f3454a3fa54694bdb8fe26bcc7ab64b96a12ea1ab7e6ced1239e4d6994464b0550a2c7fe025106b677dc5b88143f44f0e7c5cb76d92d4021bf77b127b5797d2dc7d90567ec7900208e3795aa1416e3b5def0440a7220a28077aabb2